I have enough other changes implemented to start testing this. I've added the code to my install, and the metadata to Schema.pm to generate the table entries, but I get the error "wallet: unknown ACL scheme ldap-group". I figured I missed something until I tried to add a ldap-attr acl and got a similar error. I also get the error with a pristine install of wallet from git master. What else might need to be done to get wallet to accept ldap acls?
Ross Smith <[email protected]> College of Engineering - CAEN - Unix and Linux Support On Tue, Aug 28, 2012 at 4:18 PM, Russ Allbery <[email protected]> wrote: > Russ Allbery <[email protected]> writes: > > Ross Smith <[email protected]> writes: > > >> What is the best course of implementing something like this? I was > >> planning to use the existing ldap-attr code as a starting point and > >> implement this there? > > > That's what I'd do. > > > > http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group > > > looks like the right way to construct the LDAP query to do a memberof > > check. > > Some more thoughts on this: > > You need to decide whether to store in the ACL the full DN of the group or > to store in the configuration some way to construct the DN given the group > name. I would lean towards the former; it's a little uglier, but it's the > most general, in case you have groups in multiple DN stems. > > I would therefore lean towards an ACL syntax like: > > ldap-group cn=some-group,cn=groups,dc=example,dc=org > > (This is, in fact, exactly why the new LDAP ACL scheme is called ldap-attr > and not just ldap; I knew we were going to need an ldap-group eventually.) > > You should then be able to reuse the existing code and configuration for > how to map the authenticated user to a DN. Once you have the user's DN > and the DN of the LDAP group (from the ACL information), you can then > either do a memberof query (if you assume that the LDAP server has > memberof support), or do something more complex where you do a compare to > see if the group's member attribute contains the DN of the user. > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
